Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB report anticipates data collection on small-business lending

    Agency Rule-Making & Guidance

    On December 15, the CFPB released a report detailing the results of the panel convened pursuant to the Small Business Regulatory Enforcement Fairness Act (SBREFA), which discussed the Bureau’s pending rulemaking to implement Section 1071 Dodd-Frank Act. Section 1071 requires the Bureau to engage in a rulemaking to collect and disclose data on lending to both women-owned and minority-owned small businesses. In September, the Bureau released a detailed outline describing the proposals under consideration for Section 1071 implementation, including factors such as scope, covered lenders, covered products, data points, and privacy (details covered by InfoBytes here). The October panel was comprised of a representative from the Bureau, the Chief Counsel for Advocacy of the Small Business Administration, and a representative from the Office of Information and Regulatory Affairs in the Office of Management and Budget. The panel consulted with small entity representatives (SERs)—those who would likely be directly affected by the Section 1071 rulemaking—to discuss the economic impacts of compliance with the outline’s proposals, as well as regulatory alternatives to the proposals.

    The report includes, among other things, the feedback and recommendations made by the SERs, and the findings and recommendations of the panel. Generally, the SERs were supportive of the proposal with “many expressly support[ing] broad coverage of both financial institutions and products in the 1071 rulemaking.” The SERs backed data transparency and simple regulations but expressed significant concern that the rulemaking would cause smaller financial institutions to “incur disproportionate compliance cost compared to large [financial institutions]” and would ultimately either decrease lending or increase costs for small businesses. The SERs also recommended that the Bureau take into account different types of financial institutions operating in the small business lending market, including non-depository institutions. The report also details specific recommendations by the panel, including that the Bureau issue compliance materials in connection with the rulemaking and consider providing sample disclosure language related to the collection of race, sex, and ethnicity information for principal owners as well as women-owned and minority-owned business status.

    Agency Rule-Making & Guidance Small Business Lending Section 1071 Dodd-Frank SBREFA CFPB

  • Agencies propose computer-security incident notification rule

    Agency Rule-Making & Guidance

    On December 18, the FDIC, Federal Reserve Board, and the OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM), which would require supervised banking organizations to promptly notify their primary regulator within 36 hours of becoming aware that a “‘computer-security incident” that rises to the level of a ‘notification incident’” has occurred. Additionally, the NPRM would require bank service providers “to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.” According to the agencies, these “notification incidents” are significant computer-security incidents that have the potential to “jeopardize the viability of the operations of an individual banking organization,” and may impact the safety and soundness of stability of the banking organization, leading to a disruption in the delivery of bank products and services, among other things. The agencies stress, however, that the required notice is intended to serve as an early alert and not as an assessment of the incident. According to a statement released by FDIC Chairman Jelena McWilliams, only computer-security incidents that meet the definition of a “notification incident” must be reported—a figure which is estimated to be roughly 150 incidents a year, according to a review of supervisory data and suspicious activity reports.

    Comments on the NPRM are due 90 days after publication in the Federal Register.

    Agency Rule-Making & Guidance FDIC Federal Reserve OCC Privacy/Cyber Risk & Data Security

  • FDIC approves final brokered deposits rule, clarifies fintech partnerships

    Agency Rule-Making & Guidance

    On December 15, the FDIC approved a final rule, which creates a new framework for brokered deposits by, among other things, establishing bright-line standards for determining the definition of a “deposit broker,” as well as a methodology for “analyzing whether deposits made through deposit arrangements qualify as brokered deposits, including those between insured depository institutions (IDIs) and third parties, such as financial technology companies.” Also released are two fact sheets on brokered deposits and interest rate restrictions (see here and here). The final rule follows a notice of proposed rulemaking issued last December (covered by InfoBytes here), which sought feedback on ways the agency could improve its brokered deposit regulation to ensure the “classification of a deposit as brokered appropriately reflects changes in the banking system, including banks’ use of new technologies to engage and interact with their customers.” The final rule also establishes a series of exceptions that will allow banks and their partners to determine whether they can avoid restrictions on brokered deposits, and will establish a process for entities to apply for a “primary purpose exception” if its relationship with an outside entity supplying deposits does not meet one of the final rule’s “designated exceptions.” Further, the FDIC noted that brokered deposit restrictions will not apply to banks that enter into exclusive deposit placement arrangements, such as those seen often between fintech companies and a partner bank, because, according to a statement released by FDIC Chairman Jelena McWilliams, “[e]ntities who place deposits with only one bank are less likely to present the types of funding stability risks that may arise when deposit brokers place deposits at a range of banks.” Further, the final rule amends the methodology for calculating the interest rate restrictions applicable to less than well capitalized IDIs, and changes the methodology for calculating the national rate and national rate cap for specific deposit products.

    Acting Comptroller of the Currency Brian P. Brooks issued a statement in support of the final rule: “These improvements to the brokered-deposit rule help promote greater access to financial services by supporting fintech and bank partnerships and allowing a wider array of services to be available in the market, especially for unbanked and underbanked Americans for whom the easier user interface of fintech apps is a gateway to the mainstream financial system.”

    Agency Rule-Making & Guidance FDIC OCC Brokered Deposits Fintech

  • FTC settles with mortgage analytics company over vendor oversight deficiencies

    Federal Issues

    On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.

    The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.

    Federal Issues FTC Enforcement Consumer Protection Privacy/Cyber Risk & Data Security Gramm-Leach-Bliley FTC Act Third-Party Vendor Management

  • SEC awards whistleblower with audit responsibilities more than $300,000

    Securities

    On December 14, the SEC announced a more than $300,000 whistleblower award in connection with a successful enforcement action. According to the redacted order, in connection with the whistleblower’s audit-related responsibilities, the whistleblower became aware of potential securities law violations and voluntarily provided original information that contributed significantly to the enforcement action. The whistleblower also met with enforcement staff numerous times, helped to identify potential witnesses, and “aggressively attempted to remedy the misconduct and suffered a unique hardship.” The SEC notes in its press release that while individuals with audit or compliance responsibilities are generally ineligible for awards, “a whistleblower who reasonably believes that an entity is engaging in conduct that would impede the investigation falls within one of the exceptions to that rule.” This is the fourth award paid to a whistleblower with internal audit or compliance-related responsibilities.

    The SEC has now paid approximately $731 million to 124 individuals since the inception of the program.

    Securities SEC Whistleblower Enforcement

  • FCC: Contractors must get consent to make robocalls under TCPA

    Federal Issues

    On December 14, the FCC released an order concluding that federal and state contractors are subject to the restrictions of the TCPA and must obtain prior express consent to call consumers. The order reverses a 2016 decision, which extended the presumption that “the word ‘person’ [in the TCPA] does not include the federal government absent a clear ‘affirmative showing of statutory intent to the contrary’” to calls made by contractors acting as agents of the federal government. The FCC acknowledges a number of requests to reconsider this conclusion, and in an effort to combat unwanted robocalls, the FCC now concludes that this presumption should not be extended to contractors. The FCC notes that there is “no longstanding presumption that a federal contractor is not a ‘person’” and the FCC did not “find any ‘context that otherwise requires’ [them] to ignore the express language of the Communications Act’s definition of the term ‘person’ in this situation.” While the presumption still applies to federal and state governments, the order clarifies that local governments are still considered a “person” under the TCPA and therefore, subject to the robocall restrictions without prior express consent.

    Federal Issues FCC TCPA Robocalls

  • Federal and state authorities target income scams

    Federal Issues

    On December 14, the FTC, along with 19 federal, state, and local law enforcement partners, announced “Operation Income Illusion,” which encompasses more than 50 enforcement actions against scams targeting consumers with false promises of income and financial independence. According to an analysis of complaint data by the FTC, consumers have reported that they lost more than $610 million to income scams since 2016—with more than $150 million of losses reported in the first nine months of 2020—which the FTC attributes to the increase in scams related to the Covid-19 pandemic.

    The announcement also includes four new enforcement actions and one settlement that are part of Operation Income Illusion, (i) an action and temporary restraining order against a Florida-based operation, which sold expensive memberships to programs by promoting earnings between $500 and $12,500 per sale; (ii) an action against a company with Spanish-language ads targeting Latina consumers with false promises of large profits reselling luxury products; (iii) an action and temporary restraining order against a company marketing investment-related services claiming they would enable consumers to make consistent profits off the market; (iv) an action and temporary restraining order against companies perpetuating a telemarketing scheme claiming false affiliation with Amazon.com to get consumers to purchase business opportunity programs; and (v) settlements (available here and here) with ten defendants involved in a scam targeting older adults while selling various money-making opportunities.

    The other agencies reporting actions as part of the sweep include: the SEC, CFTC, the U.S. Attorney’s Office for the Eastern District of Arkansas; and state and county agencies in Arizona, Arkansas, California, Florida, Indiana, Maryland, New Hampshire, Oregon, and Pennsylvania.

    Federal Issues FTC Enforcement State Issues CFTC SEC Fraud

  • FTC orders social media and video streaming companies to provide data on privacy practices

    Federal Issues

    On December 14, the FTC issued orders to nine social media and video streaming companies requiring each company to provide information on their collection, use, and presentation of personal information, including their data gathering and advertising practices. The orders are issued pursuant to Section 6(b) of the FTC Act, which authorizes the FTC “to conduct wide-ranging studies that do not have a specific law enforcement purpose.” According to a sample order, the FTC seeks information concerning the companies’ privacy policies, procedures, and practices, including: (i) how personal and demographic information for both desktop and mobile devices is collected, used, tracked, estimated, or derived; (ii) how user attribute information is derived in order to determine which ads and other content are shown to consumers; (iii) whether algorithms or data analytics are applied to personal information; (iv) how user engagement is measured, promoted, and researched; and (v) how company policies, procedures, and practices are affecting children and teens, including how children and families are targeted and categorized. The Commission voted 4-1 to issue the orders, with Commissioners Chopra, Slaughter, and Wilson releasing a joint statement highlighting the need for the inquiry in order to, among other things, understand the “full scale and scope of social media and video streaming companies’ data collection.” The Commissioners also emphasized the FTC’s interest in “better understand[ing] the financial incentives of social media and video streaming services.” In dissent, Commissioner Phillips argued that the orders are “an undisciplined foray into a wide variety of topics, some only tangentially related to the stated focus of th[is] investigation.”

    Federal Issues FTC Privacy/Cyber Risk & Data Security FTC Act

  • OFAC releases new Non-SDN sanctions reference tool

    Financial Crimes

    On December 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published a new reference tool, the Non-SDN Menu Based Sanctions List (NS-MBS List), which “identities persons subject to certain non-blocking menu-based sanctions that have been imposed under statutory or other authorities, including certain sanctions described in Section 235 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), as implemented by Executive Order 13849, and the Ukraine Freedom Support Act of 2014, as amended by CAATSA.” OFAC noted that the NS-MBS List is distinct from its List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions, which identifies foreign financial institutions subject to correspondent or payable-through account sanctions.

    Financial Crimes OFAC Designations Department of Treasury OFAC Sanctions Russia Of Interest to Non-US Persons

  • OFAC announces Hong Kong-related designations

    Financial Crimes

    On December 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) added 14 Chinese citizens to the Specially Designated Nationals List. The individuals were designated under Executive Order (E.O.) 13936, which was issued by President Trump in July and, among other things, targets and authorizes the imposition of sanctions on persons who materially assist, sponsor, or provide financial, material, or technological support to activities contributing to the undermining of Hong Kong’s democracy and autonomy. Additionally, E.O. 13936 states that “[a]ll property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person, . . .are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in” with any foreign person identified to have engaged in the aforementioned activities.

    Financial Crimes OFAC Department of Treasury Sanctions Hong Kong China Of Interest to Non-US Persons OFAC Designations

Pages

Upcoming Events